pod2g has just published a blog regarding an SMS vulnerability he's found in iOS that could allow someone to abuse the protocol for SMS in order to spoof or send fake text messages. The exploit has been an issue since the incarnation of iOS and is still present in iOS 6 beta 4.
He's now urging Apple to fix it.
He goes on to explain a bit about the protocol that is used to send SMS messages, PDU (Protocol Description Unit), and how it works.
PDU is a protocol that is pretty dense, allowing different types of messages to be emitted. Some examples : SMS, Flash SMS, Voice mail alerts, EMS, ... The specification is large and pretty complex. As an example, just to code the data, there are multiple possible choices : 7bit, 8bit, UCS2 (16bit), compressed or not, ...
The problem is that if you own a smartphone or a modem you have the ability to send messages in this raw type of format. There's also an optional section, UDH (User Data Header), that not all smartphones are compatible with but that allows more advanced features to be sent in a message. Some of these "more advanced features" include changing the reply-to address or sending the message from a different number altogether. The iPhone does support these features and contains a vulnerability that makes it susceptible to attacks by hackers that may choose to abuse this system.
pod2g lays out a few ways in which hackers could take advantage of this exploit:
- pirates could send a message that seems to come from the bank of the receiver asking for some private information, or inviting them to go to a dedicated website. [Phishing]
- one could send a spoofed message to your device and use it as a false evidence.
- anything you can imagine that could be utilized to manipulate people, letting them trust somebody or some organization texted them.
There are tools already available that make it rather simple to manipulate this data on smartphones. He's also created a tool for the iPhone 4 that he also plans on releasing. He is currently urging Apple to fix the issue before the public release of iOS 6 and warns that you should never trust an SMS message containing sensitive data on your iPhone in the time being.
Do you think releasing the tool will get Apple's attention or just cause more issues in the mean time for end users?
Source: pod2g
Apple developers despair as DTK rebate offers vary worldwide
Apple has confirmed to developers they must return their Developer Transition Kit's to the company by March 31, however many developers worldwide seem upset they aren't getting a full rebate of $500 US developers are.
Apple adds repairability scores to iPhone and Mac in France
Apple store listings for the iPhone and Mac now come with repairability scores in France as the company seeks to comply with new laws in the country.
Bill Gates has revealed why he prefers Android over Apple's iPhone
Bill Gates has revealed that he prefers to use Android over iPhone and iOS because of pre-installed Microsoft software and flexibility.
Keep your amiibo safe with these great storage cases
Every collector knows you need a proper storage solution and that's definitely true when it comes to your amiibo collection.